Official forum for Utopia Community

You are not logged in.

#1 2023-07-18 21:45:28

Registered: 2023-01-04
Posts: 2,191

Modified Sardonic Backdoor Used by FIN8 Group in BlackCat Ransomware

The BlackCat ransomware has been seen being delivered by the financially motivated threat actor known as FIN8 using a "revamped" variation of a backdoor known as Sardonic.

The development, according to the Symantec Threat Hunter Team, a division of Broadcom, is an effort on the part of the e-crime organization to diversify its focus and maximize profits from infected entities. Dec.
20, 2022 saw the attempted intrusion.

The cybersecurity firm is monitoring FIN8 using Syssphinx. Initially linked to attacks on point-of-sale (PoS) systems using malware like PUNCHTRACK and BADHATCH, the adversary has been active at least since 2016.

The group reappeared in March 2021 with an updated version of BADHATCH, and in August 2021, Bitdefender revealed that the group had developed a brand-new custom implant called Sardonic.

Symantec stated in a report shared with The Hacker News that the C++-based Sardonic backdoor "has the ability to harvest system information and execute commands, and has a plugin system designed to load and execute additional malware payloads delivered as DLLs.".

The most recent iteration contains significant changes compared to the previous one, which was created in C++. The majority of the source code was written in C and modified to purposefully avoid similarity.

In the incident that Symantec investigated, Sardonic was incorporated into a PowerShell script that was then executed on the targeted system after initial access was granted. The script's goal is to start a .NET loader, which will then decrypt and run an injector module to run the implant.

Injecting the backdoor into a freshly created WmiPrvSE is what the injector is used for.
exe process," explained Symantec.
"When constructing the WmiPrvSE.
using a token obtained from the lsass, the injector makes a best effort to start the exe process in session-0.
The exe process.

Sardonic supports three different plugin formats to run additional DLL and shellcode in addition to supporting up to 10 interactive sessions on the infected host for the threat actor to execute malicious commands.

Other capabilities of the backdoor include the capacity to exfiltrate the contents of files from the compromised machine to an infrastructure under the control of an actor and to drop arbitrary files.

This is not the first instance that FIN8 has been linked to a ransomware attack using Sardonic. Lodestone and Trend Micro discovered FIN8's use of the White Rabbit ransomware, which is based on Sardonic, in January 2022.

Symantec stated that Syssphinx "continues to develop and improve its capabilities and malware delivery infrastructure, periodically modifying its tools and tactics to avoid detection.".

"The group's decision to switch from point-of-sale attacks to the distribution of ransomware shows the threat actors' commitment to maximizing profits from victim organizations. ".


Board footer

Powered by FluxBB